A software weakness that represents a potential security threat to an individual user or an IT system is called a vulnerability.  Most software companies will develop a fix when they discover a weakness in a program. These are called patches and they’re usually made available to software users quickly. Patches can help ensure that a program’s weakness doesn’t present a hacker with a way to get into a computer or network. Vulnerabilities can exist in operating systems in addition to individual software programs, which can make a large number of users and systems susceptible to a cyber-attack.

Exploit Kits Take Advantage of Vulnerabilities

When a vulnerability is detected by the underground cyber world, hackers will often create what are known as exploit kits. These are utility programs that enable other hackers to take advantage of a detected vulnerability. Exploit kits are bought and sold in the criminal cyber world and can be used for cyber-attack attempts before a software company can develop and issue a protective patch.

Impact-Severity Ratings

The National Institute of Standards and Technology unit of the U.S. Department of Commerce breaks down the impact of a vulnerability into severity categories of Critical, High, Medium, Low or None. Known as the CVSS rating, the Common Vulnerability Scoring System serves to calculate and measure the severity and damage impact of a security weakness. The number of vulnerabilities that are assigned the critical rating has been growing; in 2017, the reported critical vulnerabilities (2,070) was almost twice as many as reported the previous year.

Attack-Difficulty Ratings

Software and operating system vulnerabilities can also be assigned attack-difficulty ratings of High, Medium and Low. These are called Attack Complexity or AC ratings. The categories represent how difficult or easy it is for a hacker to take advantage of the vulnerability. A rating of High requires specialized conditions to exist before an attack can be made, or it can be easily noticed and counteracted. A vulnerability which requires either some special requirement or an uncommon configuration for an attack can be classified as Medium. A Low rating means no special conditions are required for an attack and the targeted system is available to a large number is users. This is the difficulty rating that can affect a large number of users and carry the greatest potential for damage.

Steps To Protect Yourself

Because software companies will issue patches to fix any security weaknesses they discover, one of the best ways to protect yourself is to install them as soon as they become available. It’s in your best interests to narrow the window of opportunity a hacker has between the discovery of a vulnerability and the issuing and installation of remedial patches.

If you’re currently using one of the free antivirus programs, consider upgrading to a more comprehensive antivirus program that can protect you from the widest possible range of potential and known threats.